Troja vs. OffURL: which website security scanner wins?
OffURL runs 150+ no-signup security checks with CVE lookup and threat intel. Troja adds AEO, connected deep-stack scans and AI fixes. Here's the honest comparison.
Short version: OffURL is a no-signup security scanner built for vibe-coders — 150+ checks, CVE lookup, threat-intel feeds and a refreshingly simple $1.99-per-report model. Troja does security too, but adds AEO (can AI answer engines cite you?), connected deep-stack scans of your real GitHub, Supabase, Stripe, Vercel, Railway and Resend, active authenticated tests, monitoring and an MCP server. Want a cheap one-off external audit? OffURL is excellent. Want to scan the stack behind the page and fix it in your editor? That's Troja.
What is OffURL?
OffURL (offurl.com) runs 150+ checks across 16+ categories in about 30 seconds, no account needed. It's unusually deep on pure security: application security (XSS, SQL injection, SSRF, SSTI, LFI/RFI, CORS), active pen-tests (CRLF, command injection, rate-limiting), CVE lookup via the NVD API, subdomain-takeover detection, threat-intelligence feeds (URLhaus, PhishTank, Feodo), a complete email-auth suite (SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT), WCAG accessibility and domain intelligence (WHOIS, domain age, Archive.org history). The fix model is a paste-ready LLM prompt template for Claude, Cursor or Grok. Pricing: your first premium report is free, then $1.99 per report — no subscription.
Troja vs. OffURL at a glance
| Capability | Troja | OffURL |
|---|---|---|
| Security checks | ✅ 120+ | ✅ 150+ |
| SEO audit | ✅ 68 checks | ⚠️ ~8 checks |
| AEO (AI-answer visibility) | ✅ 46 + engine matrix | ❌ |
| Accessibility (WCAG) | ❌ | ✅ |
| CVE + threat intel | ⚠️ partial | ✅ NVD + feeds |
| Email auth | ✅ SPF/DKIM/DMARC | ✅ + BIMI/MTA-STS/TLS-RPT |
| Copy-paste AI fixes | ✅ per finding | ⚠️ one paste template |
| Connected deep-stack scan | ✅ 6 providers | ❌ external only |
| Active / authenticated tests | ✅ DAST | ✅ pen-tests |
| Monitoring · MCP · API | ✅ | ❌ |
| Pricing | $19/mo | $1.99 / report |
Where OffURL is strong
OffURL has the broadest pure-security surface in this category — CVE cross-referencing, live threat-intel feeds, subdomain-takeover detection and a full email-authentication suite (it even checks BIMI, MTA-STS and TLS-RPT, which most scanners skip). The pay-per-report pricing is genuinely friendly for a one-off pre-launch audit, and there's no signup wall.
Where Troja goes further
Three gaps matter for builders. First, AEO: OffURL won't tell you whether ChatGPT or Perplexity can cite you, and AI answer engines are now a real traffic source. Second, connected deep-stack scanning — OffURL only sees the public page, while Troja uses read-only tokens to find leaked secrets in your GitHub source, permissive Supabase RLS, weak Stripe webhooks and misconfigured hosting. Third, the fix loop: OffURL gives one prompt template; Troja writes a tailored fix prompt per finding, streams them into your editor over MCP, and re-tests them with one click — plus monitoring, white-label reports and an API.
Which should you choose?
- You want a deep, cheap, one-off external security audit with no subscription → OffURL.
- You also need AI-visibility, your real backend scanned, and an ongoing fix-and-monitor loop → Troja.
Both are strong. OffURL is the better à-la-carte security checkup; Troja is the better home base if security, search and AI visibility all live on your plate.
Frequently asked questions
Is OffURL free?
Your first premium report is free with no credit card; after that it's $1.99 per report. There's no subscription and no signup required — it's a pay-per-audit model. Troja's scanning is free, with subscriptions (from $19/mo) that unlock AI fix prompts, connected deep-stack scans and monitoring.
Does OffURL check AEO (AI answer-engine visibility)?
No. OffURL covers security, performance, basic SEO and accessibility, but it does not grade AEO — whether ChatGPT, Claude, Perplexity or Google AI can read and cite your site. Troja runs 46 AEO checks plus a per-bot crawl matrix and snippet grading.
Does OffURL scan my codebase or database?
No — OffURL scans your site externally from the public page. Troja can connect read-only tokens to deep-scan your real GitHub source, Supabase RLS, Stripe webhooks, Vercel/Railway config and Resend email auth.
Which has better AI fixes, Troja or OffURL?
OffURL gives you one paste-ready LLM prompt template to drop your report into Claude, Cursor or Grok. Troja generates a specific fix prompt per finding and exposes an MCP server so an AI agent can pull findings and fixes straight into your editor.
Run the scan this post is about.
Free, no signup. See what's hiding inside your walls in ~30 seconds.
Keep reading
All postsTroja vs. checkvibe: the closest scanner comparison (2026)
checkvibe pioneered security + SEO + AEO scanning with AI fix prompts and a 7-engine matrix. Troja matches it and adds connected deep-stack scans. The honest comparison.
ReadTroja vs. Fixnx: which AI website scanner should you use?
Fixnx runs 100+ AI-powered security, SEO and speed checks with credit-pack pricing. Troja adds AEO, connected deep-stack scans and per-finding AI fixes. Compared.
ReadTroja vs. CyScan.io: recon tool vs. fix-it scanner
CyScan.io is a free attack-surface recon scanner — endpoints, subdomains, fuzzing, screenshots. Troja is a fix-and-ship scanner with AI fixes, AEO and deep-stack scans.
Read